nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

We're spying on you for your own protection, says NSA, FBI

Except we're not, of course, because that would be illegal

By Kieren McCarthy, 19 Apr 2017

A new factsheet by the NSA and FBI has laid bare ludicrous contradictions in how US intelligence agencies choose to interpret a law designed to prevent spying on American citizens, but which they use to achieve exactly that end.

  • While noting that the law specifically bans the gathering of information on US citizens, it then defends both the gathering and retention of information on US citizens.
  • While claiming that its procedures severely limit the amount of information that is gathered on individual US citizens, it claims to be unable to provide even an estimate as to how many US citizens' records are in its database.
  • While noting it is illegal to specifically target US citizens using their personally identifiable information without a warrant, it then argues why it should be allowed to continue searching US citizens' personally identifiable information without a warrant.
  • And while claiming that it does not use the law to undertake mass surveillance or bulk collection of information, it defends tapping the internet's backbone and gathering information where the claimed target of surveillance is neither the sender nor the receiver of the information.

The document even claims that it is surveilling US citizens for their own protection while at the same time claiming that it is not doing so.

The obvious and painful contradictions within the 10-page document [PDF] are testament to the very reason why the factsheet had to be prepared in the first place: Congress is threatening not to renew the legislation due to the intelligence agencies' willful misrepresentation of the law to perform the very activities it was designed to prevent.

Come again?

FISA – the Foreign Intelligence Surveillance Act – was enacted in 1978 and authorizes US intelligence agencies to carry out electronic surveillance of foreign persons outside the US. It specifically prohibited surveillance of US citizens and foreign persons within US borders.

But in 2008, the FISA Amendments Act (FAA) was passed to recognize the modern realities of internet communications: that foreign intelligence targets were using networks based in the United States to communicate. The law gave the intelligence agencies the right to demand that US companies hand over their communications in the search for foreign intelligence.

In an effort to ensure that those searches were restricted to non-US citizens however, the FAA – which was re-authorized in 2012 and now needs to be re-authorized again before the end of 2017 – included various procedures, and checks and balances.

Somewhat inevitably however, those procedures – which remain almost entirely secret – and the check and balances – which have been shown to be ineffective at best – have been slowly undermined by the intelligence agencies to the extent that the FBI now routinely uses personally identifiable information of US citizens, such as an email or phone number, to search a huge database of gathered information if it suspects them of a crime carried out in the US.

That reality is the diametric opposite of what the law was intended to do – hence the ludicrous contradictions between what the intelligence agencies say the law authorizes and the everyday realities that they argue must be retained.

Walk me through it

The first eight pages of the 10-page document are largely accurate, giving a rundown of the law, its history and intentions, and the procedures and checks introduced. In fact, it is a useful and largely objective rundown of the issue.

On page four, the document gives some examples of where use of Section 702 have proven effective: gathering insights into the minds of high-level Middle Eastern government ministers; checking up on sanctions; identifying both terrorists and terrorist sympathizers and alerting other governments to them.

Of the five examples given (of course it's impossible to know how many real-world examples there are), only one covers an arrest on US soil: the case of Najibullah Zazi who was tracked after he sent an email to an al-Qaeda operative in Pakistan asking for help in making bombs. Zazi planned to bomb the subway in New York City but was arrested in 2009 before he had the opportunity to do so. He pled guilty in 2010 and was sentenced to life in prison in 2012. (It is worth noting, however, that Zazi was already under surveillance from US intelligence agencies thanks to his visits to Pakistan, so it's unclear what role the Section 702 data really played.)

The document carefully words some sections covering concern over how the law was being interpreted. As a result of Edward Snowden's revelations, lawmakers and civil society groups started asking precise questions and that resulted in the intelligence agencies releasing limited information about the process it goes through to obtain the rights to spy on people. The document paints the provision of that information as the intelligence agencies' "commitment to furthering the principles of transparency," when nothing could be further from the truth.

It also tries to paint a report by the Privacy and Civil Liberties Oversight Board (PCLOB) into US spying in positive terms. The independent board, the document claims, largely exonerated the intelligence agencies and "made a number of recommendations" that have "been implemented in full or in part by the government."

In reality, the board's report was a damning indictment of the agencies' effort to reinterpret the law to be able to spy on just about anyone. The recommendations that have been implemented "in part" cover the most important improvements, in particular the publication of the procedures that the agencies use in reaching determinations. These critical documents remain entirely secret.

The PCLOB also paid a high price for standing up to the NSA and FBI: they had their authority cut out from under them, the budget was slashed, and all but one of its five board members have either resigned or have not had their terms renewed. It is a shell of an organization that doesn't even answer its phone or emails.

The issues

It is on pages nine and 10 that the real issues appear however – where it addresses "702 issues that are likely to arise in the re-authorization discussion."

These are:

  1. Information gathered on US citizens
  2. Searches carried out on that database
  3. Internet backbone tapping

Despite the law specifically noting that US citizens and people within US borders cannot be spied on through Section 702, in reality the intelligence agencies do exactly that.

The explanation is that this information is "incidental" and is hoovered up as the NSA and others are gathering intelligence on others. The intelligence agencies claim that it affects very few US citizens and so Congress has persistently asked what that number is: how many US citizens are included in the 702 database?

The US House Judiciary Committee first asked that question a year ago – April 2016. There is still no answer.

This latest document notes: "The IC (intelligence community) and DoJ (Department of Justice) have met with staff members of both the House and Senate Intelligence and Judiciary Committees, the PCLOB, and advocacy groups to explain the obstacles that hinder the government's ability to count with any accuracy or to even provide a reliable estimate of the number of incidental US person communications collected through Section 702."

It says that the agencies are "working to produce a relevant metric" to inform discussions.

This is a transparent attempt to prevent a figure on the number of US citizens in the database from being revealed, because it would almost certainly undermine the core contention of the intelligence agencies: that their procedures prevent the unnecessary gathering of information on US citizens.

The really insane part

The second issue: searching of that database using the personally identifiable information of US citizens – something that goes directly against the wording of the law itself – is the most ridiculous part of the document.

"Generally, queries of raw content are only permitted if they are reasonably designed to identify foreign intelligence information," the document states – which fits in with the intent of the law.

But then, in the very same sentence, it reads: "...although the FBI may also conduct such queries to identify evidence of a crime."

Note that the database goes from only gathering foreign intelligence to searching for evidence of a crime carried out in the United States by a US citizen in just 14 words.

How on earth it is possible to legally justify such a position? Hold on to your hats... "Querying databases containing Section 702 information does not result in any new acquisition of data; it is instead only an examination or re-examination of previously acquired information."

And then, piling one ludicrous interpretation onto another, the document claims those searches are not "separate searches" and so the Fourth Amendment – which would apply in virtually every conceivable scenario – does not apply.

The document claims this database searching is "similar to a person searching an email inbox for a particular message" rather than a violation of their constitutional rights against illegal searches.

Congressmen and civil rights groups have been justifiably infuriated by this argument and have insisted that the FBI should have to go through the normal legal process of obtaining a warrant before carrying out such a search.

The document argues: "Adding such a requirement would severely hamper the speed and efficiency of operations by creating an unnecessary barrier to national security professionals' ability to identify potential threat information already in the lawful possession of the IC."

We cannot imagine a US judge supporting that legal argument: that illegal searches should be allowed because getting a warrant is too time-consuming.

And finally

As for tapping the internet backbone, the NSA/FBI acknowledges that it does so – calling it "upstream" collection – and acknowledges that the "NSA has also acquired information 'about' targets of Section 702 – for example, where the target is neither the sender nor the recipient of the collected communications, but the target's tasked selector, such as an email address, is being passed between two other communicants."

It notes that the Foreign Intelligence Surveillance Court (FISC) has "considered upstream collection and concluded that it is lawful," while noting that this information "has allowed the IC to acquire unique intelligence that informs cybersecurity efforts."

Of course what that justification does not address is how the "tasked selector" was identified in the tapping of the internet backbone when it neither came from the individual they were targeting, nor was delivered to them.

This makes a mockery of the claim that Section 702 is only used for targeted surveillance and instead looks as though the NSA is gathering all possible information and searching within it, which inevitably means the gathering of huge amounts of data on US citizens – the very thing the law is supposed to avoid.

The FISC claim is difficult to discern due to continued secrecy of its functioning and its decisions.

But perhaps the most extraordinary claim in the whole document is that spying on US citizens is for their own protection.

"Queries using US person identifiers in Section 702 collection," it reads, "can assist the IC in identifying situations where a US person may be the subject of an imminent threat, with the goal of protecting the US person from harm."

There is of course one positive to the "factsheet" on Section 702: thanks to information in the public domain and Congressional hearings, the intelligence agencies have been forced to flag their own contradictions in how they chose to interpret the law.

If Congress does its job properly, those contradictions will be removed and future-proofed before the intelligence agencies get their right to spy on US communications returned to them. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing